Posted
by
Cliffon Monday February 27, 2006 @09:25PM
from the antivirus-unfriendly-systems dept.

Brady J. Frey asks: "For months, I've had a client that has been looking for a Linux or Mac alternative for their DVR Security systems. They are a large Real Estate company with 200+ cameras world wide, and their Pelco PC DVR's are hubs for viruses. These systems cannot run anti-virus software at the same time they record -- but require internet inbound/outbound traffic through specific ports that leave some nice holes in the firewall for viruses to find their way in as needed. Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?"

"We've tried looking at Ben's Security Spy for Mac, and running a Quicktime server, but it was not industrial enough for us and the developer has been elusive. We're looking at Endura by Pelco, but there's some questions unanswered for it.

What I want is a high end, professional DVR system for a large business that does not run Windows. Budget isn't really an issue at this point, since we are just looking for options.

To note, I'm hearing I could possibly do IP cameras, and host any ol' web server I want to download those files, but I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated. If you are an expert in this industry, we may have a need for your services and would welcome that too!"

Give the questioner the benefit of the doubt and expect that obvious solutions have been tried.

When it comes to computer problems, if I were to count all the times that giving someone the benefit of the doubt has helped solve the problem, I'd still have all of my fingers left. Nowadays, when someone comes to me with a computer question, I like to go back to the very beginning (whether it's a configuration file, or a system install, or whatever) and work from there. Nine times out of ten, the solution is sim

Better yet let someone else worry about it- Contact a company like VideoSave [videosave.net]. They have cameras with an onsite staging server. Feeds are then uploaded to their colo facility from which you can view any camera stream over an SSL protected session.

Try deploying a VPN between the sites. The technology to secure communications between several different locations has been around for a while. There's no good reason why these servers should be freely accesible to the Internet. That's just stupid.

Usually it's the Boss's computer heavily infected (No one dare to go into their rooms to clean up the virus), and usually the rule allows all the Boss's computers to access that security cam website.

Or you (the computer-illiterate boss) simply hire employees who will walk into your office and make fun of you for having opened the "Just Click Here fore [sic] a Bigger Penis" e-mail. His skill was that required to run a business; mine was in making fun of anyone without computer savvy (which somehow extended

Sad to say, SecuritySpy isn't even close to "industrial". They won't even support one of the newer D-Link cameras, the 6620G.I have two D-Link 6620G cameras and have been looking for *any* solution, industrial or not, that would let me access my cameras via my Mac.

I am by no means an industry expert, I can tell you that the IP Camera solution is indeed viable. Several of them out there -- check out:

Actually, the 6620Gs have a great low-light picture and a 10x optical zoom. Pan/Tilt, and two-way audio along with being wireless and supporting WPA2 encryption. Hardware wise, it's really pretty good. The firmware blows (as do most Dlink products)I've heard really bad things about the Toshibas and mediocre things about the Sonys. The Dlink seemed to be the best value at the time.

Axis and Panasonic are supposedly really good -- plus a few others that aren't well-know outside of the surveillance industry

I'm sort of the one man IT department for a small nonprofit that is dependent on technology for tons of different things. Recently, we've begun looking into security for our office (I'll spare you the grisly details.) A traditional CCTV system is completely out of the question. A network camera like the Axis 207 [axis.com] ($300 range) is doable in the hardware sense, but they want an additional $600 for DVR software. I have a spare box I could toss Linux on if there were a good F/OSS solution out there.

www.flextps.org is a GPL package that works really well with Axis video servers. Its main purpose is to stream video streams over the web, but it also has a DVR functionality where you specify which streams you want to record, the frame rate and the duration of recording. It's all perl-based and you could probably use a cronjob to start a 24h recording every midnight.

I have a 4 channel DVCR with ethernet that doesn't use windows on the main system but has a windows app that displays recorded images. Mine records a frame every 1/5 sec onto a 40gig hd and it seems to work ok using cheap cameras. I've looked at the data and I don't think it would take much to write a program for Linux or OS-X. The unit I have is identical to the top 4 channel network unit here [allthings.com.au].

Um, viruses don't just sneak in through open ports. Worms and trojans sneak in through exploits in programs running on those ports. Which exact ports are open? Look, I'm as big a linux zealot as the next guy, but this sounds like a scam. "See the, uhm, viruses are sneaking in through the, uhm, open ports in your windows. You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"

Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?

We are 100% Mac and Linux company, so my known system would not be a dated Windows box dumbed down to only run anti-virus when nothing else works:)
It may very well be a weakness in the software -- the ports required are 80 and 9999, that's it -- Pelco themselves duplicated a virus popping into it with a router up top, and since many of these buildings are remote, the expense is not reasonable to have a high end firewall on most of these remote locations when I could just as easily disregard that mess and

It sounds to me like they have a POS
'out of the box' windows solution that leaves so many holes 'out of the box' that when the company PHB's go play directly with the machines (as they're want to do) their virus-loaded machines then infect the PVR boxes.

I'm gonna guess that, if he goes to a different Windows solution, there are two fears:
(1) the new 'solution' will be as messed up as the current one, and
(2) The PHB's are going to ask "Why are we going to this new system", and if you answer 'security'

It sounds to me like they have a POS 'out of the box' windows solution that leaves so many holes 'out of the box' that when the company PHB's go play directly with the machines (as they're want to do) their virus-loaded machines then infect the PVR boxes.

That's the case for an awful lot of systems that are built on Windows. I know of horrificially expensive microscopes, for example, which you can't put on a network because the embedded windows machine would get infected.

OK, so you have two ports. I assume viruses aren't getting in through those, since they are serviced by Pelco's own software which has presumably not been targeted by viruses. Put a cheap NAT box (like a $30 linksys wired router) in front of each machine, and forward ports 80 and 9999. That will solve all your virus problems, since Windows viruses can't infect Linksys boxes.

You're an artist. You're probably good at what you do. But, why don't you hire someone who knows something about networking and security to help you out? Wouldn't that make a lot more sense than asking/.?

I agree, this sounds like big pile of horseshit to me. Really, it sounds like you're desperate to get Unix in there any way you can, so you're doing a crappy job and blaming Windows for it. Just because you're a shitty Windows administrator, doesn't mean Windows can't be well administered. How the hell are all those IIS web servers managing to stay up?

Just because something runs Windows doesn't mean it can be administered like your average server or desktop. I've seen plenty of black box setups where you didn't have admin rights to the system and relied on them to release patches, etc and they become virus vectors because the 3rd party vendors weren't fast enough to release fixes through their own infrastructure. Or the vendor insists on handling updates and they aren't quick enough.

I've dealt with plenty 'black box' system running windows underneath where they shut you out entirely and you end up with infected nodes that you can't fix and have to wait till the vendor does. That's when its time to find a new vendor.

How's that a Windows problem? You could have a vendor supply you with a Linux system that you don't have admin rights to and, if they don't patch critical security holes, you're still screwed.

oh for fuck's sake. the MS shills on this site are really beginning to annoy me.

firstly, IIS has only recently (in the last couple of years) become stable enough to reasonably get 20% market share. and that's still only 20%.

secondly, Slashdot has always been more interested in Linux and other UNIX-like operating systems than in Windows systems, so it's the perfect platform to ask a question about a UNIX/Linux/other solution to a particular problem. if you don't like it, shift off somewhere else.

> Really, wouldn't it be better to stick with a known system and, you know, do your job as a sysadmin by fixing any security holes?

A lot easier said than done for a number of windows-based "solutions." I'm always amused by how often we kick the PoS (point of sale or piece of shit, take your pick) systems in our building offline because some new virus comes around and infects them all. As he pointed out you can isolate them through layers of external protection, but it's a hassle and it would be a lot n

Laptops get on the network by someone walking in the door and plugging it in. That's not uncommon at all, even if only for data collection. I don't think I've ever seen a seriously locked down network setup at anything but a large chain[1] but, admittedly, that's not my business (I work with backend systems). Small POS networks I have seen tended to be disconnected from the net, but data has to get in and out of them somehow and it's not just paper and data entry people anymore. Larger installations (or

I can't tell from the original posting whether the client is trying to replace the hub site or protect the remotes or both, and I can't tell if the remote-site equipment is being used for other applications or only for the camera, which makes a *huge* difference in your threat model.

Basic firewall routers cost $29, and you can set them up to only allow connections from your headquarters location, or even to do IPSEC tunnels if your video application doesn't get into PMTU-discovery problems. Installing them at existing locations costs significantly more than $29, but for new locations it's just an extra couple of minutes to plug in the box when you're plugging in the camera.

Basic PCs cost $250, so if you need a headquarters firewall or IPSEC tunnel server, that's basically free - certainly less than you'd charge your client for the amount of time you're reading Slashdot responses \\\\\\\ \\\\ \\\\\\\ researching solutions. And you can run ClamAV on it to protect outgoing traffic.

If your remote sites are using the video box as a general-purpose PC to surf the net and read email, then you need to run an anti-virus application on it and either run a basic firewall box (wimpy, but a good start), or use the firewall to tunnel all your browsing traffic back to a server at headquarters, where you're running Squid and ClamAV and some decent Linux firewalling, and give them an email server that does some anti-virus and spam blocking and an email client that doesn't come from Microsoft. (If this weren't a real estate company, I'd recommend a text-only email system like Pine, but realistically your real estate people need to send pictures to their clients.) Another choice would be to run VNC, in one of its tighter forms, and run any applications on the headquarters server, wiht appropriate anti-virusing there.

Exactly. I am also very suspecting of software that won't allow unrelated software to operate. Any DVR that can't record when a firewall is scanning traffic is crap, or the scanner program is crap too. The firewall program should be able to allow exceptions for certain programs.

I believe he was worried that the virus scanner will want to scan every new file written to the system, and a machine that records video all day will already have enough cpu activity and disk io to waste resources scanning large, clean files for viruses.

Remember those RPC flaws? SQL Slammer? There are remotely exploitable problems with windows, especially if the boxes are unpatched, that could be prevented with a firewall. The submitter seems to suggest that there are exploitable ports open which the DVR software relies on. Given the mess that is RPC, DCOM, file sharing etc I don't have a hard time believing that.

That said, if you are thinking about hiring someone to help setup a linux solution, why not go open source? As another poster mentioned, Mythtv

You need me to install all new Linux based stuff. See, linux doesn't have ports or windows, so the viruses can't sneak in!"

But, using a Linux/Unix custom distro cd (Think: RedHat Jump Start) can reduce the cost of administration by providing an easily setup, secure default. In other words, the install procedure gets reduced to

1) Install the O/S CD with minimal options2) Install install script3) Run a single command (eg: Setup) which sets everything for the O/S up.

As another poster pointed out, yes it's quite easy to not have to reboot all the time. Also, the normal amount of reboots is 3. 1 after copy, 1 after final installation, and 1 after updates. Taking the slipstream + unattended install route leaves you with 1 reboot. That's 50% less reboots than your method! Think of the savings!;)

if you create a windows image or unattended install then YES there are no reboots, it is simply insert CD or send image and 1 reboot at the end. total time 15 minutes or less with no user interaction required.

But you're still comparing apples to oranges.

A "windows image" includes all the drivers preconfigured for a standardized hardware platform. An "unattended install" loads (crappy!) default drivers that generally don't work, and doesn't download updates as part of the install process. In either case, no

...company with 200+ cameras.The problem with the Pelco devices is they are sold as is without any easy way to keep the OS up to date. Our company remembers to update DVR OS software as new things come out.

I myself have asked the exact question to our security cam vendors (and so have all the other larger real estate companies in my city) in part because of the updated software issue. For me, even more helpful would be a more open platform. Pelco (and all DVR vendors) lock you into their hardware platform,

For me, even more helpful would be a more open platform. Pelco (and all DVR vendors) lock you into their hardware platform, and if you so much as add or replace one of their $2000 120GB hard drives, they will discontinue your support.

No kidding. I'm about to take over support for a couple of similar units because the vendor, even for an absurd yearly fee, is completely inflexable. For example, every time a drive dies they swap the entire machine thus losing all the old video. Of course adding an sort of

I work for a pretty major company doing the unix stuff, but you wouldn't believe the trouble our windows guys have installing a fresh machine. We have a big enough company that there are rogue viruses running throughout the company on various people's laptops or even servers that haven't had patches on them or whatever. Viruses do not only come in from the outside through the "firewalls" any more. Any network that allows laptop computers that come in and out of the office are going to bring their dirty l

When the windows guys go to install a fresh copy of Windows 2000 on a box connected to our network, you can gaurentee that machine has a virus before they can install the patches on the machine. They typically install the box off the network and then 'sneeker net' the service packs and other patches onto the machine before plugging it into the network.

But why? You can get a NAT router from Office Max for $20. It will allow for Internet Access, but make machines connected to it effectively invisible to worms

Worms and trojans sneak in through exploits in programs running on those ports.

No, trojans are executed by the user in the belief that it is an application that the user wants (or needs) to run. Viruses hook on to other executables, causing themselves to be run when that executable is run; they generally fork (or similar), execute the real executable, then seek out other executables to infect. Worms are the only self-mobile code, and do indeed seek out open ports to exploit holes in the software listening

How many of you just stick a computer on the end of an Internet connection without a firewall?

I do. All the time. RHES/CentOS based Linux systems. For years, anytime I've had a security breach happen, it happened well after I was aware of a problem. (Not all the systems I admin are actually mine - meaning that, when I identify a problem, I have to get approval to actually go fix it)

But, it's routine for me. No firewall. In fact, in quite a number of cases, the Linux system IS the firewall. I don't admin AN

I don't know if they have a turn-key solution for you, but Axis Communications has some of the best cameras I've seen. They are linux based and very easy to write glue code for between systems (very open API's and development models). In general they are high quality cameras I would stake my job against.

Can't you toss the PVRs on DMZs off your existing firewalls?and the equipment outlay for new Linux boxes with supported PVR security software, if they do exist, is probably more per unit than the cost of little PIXs, if you couldn't set up DMZs for some reason.

Apple is having a big media event to launch new products tomorrow. It's pretty much a given they'll be releasing the Intel Mini, and there's some strong speculation it will include a DVR and TiVo-killer software.

Opening a port for the video network traffic shouldn't open you up to viruses, even on Windows. If these machines are 'virus hubs' then they are certainly being used for other purposes. First, restrict access to the servers so that they are only used for their intended purpose of capturing video, and not, say, surfing the web. If you are really concerned, you should run the capture process under a non-administrator account, so that even if the application consuming and generating network traffic is insecure

Supercircuits [supercircuits.com] has a lot of camera and recording gear. The DMR3-CD-PW-16 [supercircuits.com] has 16 channels, up to 2500GB disc capacity, compression, built-in CD-R, etc. If you're using regular composite video sources, it would be possible to build one of these yourself with a bunch of 4 input video capture cards [webcamsoft.com].

If you're using IP cameras that stream MP4 or whatever over ethernet, why not employ a VPN? You can get a nice hardware VPN endpoint such as one of those SOHO Sonicwalls (google for it) on each end, or a linux box

I second this... though I believe they are Windows based (something the submitter seemed to want to avoid).

We have several DS2s installed for years, and there have been two glitches... both caused by power spike/loss. Each time the DVR had to be reset, and though we lost our video archive (what little was not backed up) the DVRs reloaded and reinitialized themselves without issue.

I don't understand, aren't these dedicated boxes? Just turn off unnecessary services, run the service packs, and use a firewall to restrict access by IP address (even the XP SP2 / W2K3 built in firewall can do this). Windows isn't that vulnerable with basic precautions. Especially dedicated and presumably mostly locked down machines.

Guess what? If you want remote access to the camera, every OS or hardware IP camera will require open ports! It's just a matter of working within that requirement - e.g.

Windows based DVRs tend to also use ActiveX for remote access/viewing. I have one Windows DVR that works very well at my building. It records for 20 cameras and has remote viewing.

But unless I'm at a Windows computer, I can't log into my DVR security remotely to see what's going on. About once or twice a year, I get a call from my security company because an alarm has gone off. I can't check on my building from the comfort of my bedroom and my Mac laptop. I have to head downstairs to the office, and boot

Something to keep in mind: One reason why Windows-based systems have the problems they do with viruses, worms, and trojans, is that Windows-based systems still make up the bulk of the systems in use.Linux, MacOSX, and other UNIX relatives are not necessarily more or less invulnerable to these pests; the people who create the pests are simply:

1) as or more likely to have Windows systems themselves (based simply on the odds);

2) more likely to find victims running Windows than other OSes because there are a v

Check out the firm, Cryptocybernetics, LLC. [cryptocybernetics.com] as this is our bread and butter area of development. We work with such companies as General Dynamics (and Microsoft) for unique DRM solutions and have a DRM/PVR offering we can port to either Mac or Linux for PVR applications. I know DRM is not your primary concern, but one of our systems was approved by the major motion picture studios for early content release on portable players (for airplanes). We are security / virus protection aware and would welcome an oppu

At the ICS West security conference last year, there were dozens of vendors showing Linux based DVR security systems. Some were even just their capture card and an IDE dongle containing the entire Linux OS and their DVR application. Just put it in a system with an existing HD on the secondary IDE bus and you'll soon be running a Linux based DVR. Most were advertising "embedded OS" and higher reliability than PC( Windows ) based DVRs.I had put together a list a couple of years ago and will post them here. y

1) You say, "Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations," but then go on to say, "Budget isn't really an issue at this point, since we are just looking for options." Which is it?

2) Why is it you can't run anti-virus while recording? I'll bet it's a performance issue and if so, you've either looked

As some others have alluded, the real question you should be asking yourself is WTF are security assets doing on your public network where anybody can have a shot at them? For crying out loud, set up a DMZ. It shouldn't matter if the OS is a craptastic sploitfest, because only trusted hosts should be able to access specific ports on them. That being said, when you do replace that system it would be a good idea to use an OS that's not a craptastic sploitfest.

Yes, we could put up a server in front of each, or a router that has anti-virus built in, however this is not a cost effective method for a number of their locations. Therefore we are looking for alternatives. Any suggestions?"Budget isn't really an issue at this point, since we are just looking for options.

Obviously, budget is an issue. You just said so. You state that you "are just looking for options" and you've already ruled out some based on cost. Are you looking for a turn-key solution? Somethi

Because you have not provided a budget, yet feel that an additional server to act as a firewall/virus blocker is too expensive, it's hard to offer a good recomendation.In any case there are a few options using Linux. If you are looking to capture/collect snapshots over time, you could do anything from ip based webcams with a backend on Linux using wget to collect snapshots from each camera. Those get hosted on the Linux box as a web page for each location. On each of those pages, display the last 6 or so sn

I have no clue as to how to control the cameras, or if this is really a possibility. Any advice or information is appreciated.

I'm not an expert, but I worked in a place that used to sell these Windozy systems. It made me cringe at the time and I'm not surprised to learn they are a virus magnet and easy to 0wn. I never learned to do the same things with free software, but I did learn a few things.

Camera control is usually silly. For the price of one tilt device, you can buy two or three normal cameras

The typical host on the internet has a default route and answers to everyone on the internet. Do these hosts need to talk to everyone on the internet? Could they get by with specific host routes back to a couple/few subnets for uploading videos or whatever and administration? Malicious scanning and 99.9% of network exploits won't work when you aren't sending packets back.Otherwise my suggestion would be to put firewall software on the existing boxes, or firewall devices in from of them, or get in a lab and

First, you say you can't change the ports that are used. But you can make it look like you changed the ports? Here is the idea: camera server must run on port 80 (or whatever). So you run a little program on the Windows box that takes any connections on port 8347 (just some random number) and forwards that connection (through the loopback) to port 80. Port 80 is never exposed outside of the the box (must be loopback to connect). I know this can be done on U

I kind of hate to turn this into a shameless plug, but my company has been developing exactly what you need. We've got a linux-based network camera which would be perfect for your application. Google Ingenient Technologies.

Okay, now here's the problem: We are an engineering firm - we sell the reference design to other companies which actually manufacture and market the hardware. However, we might be able to work something out with an intermedi

I personally run 50 IP cameras (Axis) to 5 Xserve DP G5s.They all dump their data to dual XServe RAIDs (located in separate parts of the building for physcial separation) using XSan (with 1 XServe as a XSan controller), page me via an email when a camera should not be going off at night of the picture, run scripts that write out formatted logs for motion activity.

It took about 4 months to get everything running smoothly - camera settings, getting enough machines to do the work, compression levels that were

If your client trusts in your expertise well enough to ask this question, and you've led them on by pretending to know what you're doing (we can deduce this based on your need to post a question to "Ask Slashdot"), maybe you ought to save yourself from the forthcoming embarassment and step down from this project?

Check out VBrick Systems [vbrick.com]. They make some cool encoders, some with built-in hard drives for recording. They also have software that can record from these streams (but it runs on Windoze - the actual "bricks" run a Unix-based embedded OS).

My company deploys Linux-powered DVRs all the time. They are basically bulletproof: embedded RHL-based systems running on commodity PC hardware. These things have zero downtime, have virtually no risk of hacking since they are embedded, and are very inexpensive to deploy. There is a company called Neon which puts together pre-configured PROMs, you just plug them into an IDE chain on a system which meets specs and you're good to go. These things are more like an appliance when they're setup than a computer,

These things want plain old P4 Gigabyte motherboards with a few hundred megs of DDR, very affordable rigs and no Linux experience necessary. There's a pretty GUI on the DVR end if you choose to put a head on it, and there's a remote web interface from which you can watch & control feed in-browser. Here's a few screenshots for you on the client end:

First, if you havn't already you should head on over to www.cctvforum.com . It's not Linux focused but there are lots of folks there who know their DVRs.Second, there are several "Linux on a DOM" solutions and I think one of the more popular is called VPON.

Third, are you sure you really want a PC based DVR rather than a dedicated solution. Many of the dedicated dvrs run Linux and even the ones that run Windows have striped it down to the point where it should be pretty safe.

Can I assume these machine are running either Win2k or WinXP?If they are, read up on IPSEC. If not, bless your heart.

You can set a IPSEC policy on all of these machines that will make them require require authentication in order to communicate with each other and/or the servers they talk to. You can use, Kerberos (domain required for Kerberos. It's probably not for you), Certificate, or a shared key as the authentication mechanism. This will keep any foreign machines from connecting to and infecting your ob

My company runs 2 Pelco DX7000s, 26 cameras in total. i'm not sure what you mean when you say "their Pelco PC DVR's are hubs for viruses". i dont think we've ever had any sort of virus on either of our systems...

Since you know the "allowed" type of traffic, put a proxy in front of them. Have the proxy only pass "approved" in and outbound types of traffic. Anything else just gets dropped.TIVO is a DVR and it's linux based. I know that there was some open source stuff out there for a while, but it was missing a sufficient amount of proprietary code that no one was ever able to get it working. You might be able to do something with the Myth TV stuff, but that's more of PVR than DVR.

Big thing to watch for is insist on seeing a simularly sized system to what you want in operation before you sign anything. When you are running the system, do a lot of browser backs. Interupt it in the middle of things. Bring up six live views at once.

Watch for systems that have to have componets reset/restarted. Computers, cameras, hubs, things like that. Insist on references, and check them. (Good idea for anything, really.)

I have been doing this for years. My largest client had one requirement - he's a Mac user. I ended up setting up many AXIS 2420 cameras (including audio and night vision). I wrote custom code to interface with the cameras and created my own front end. The built in web based front-end would have sufficed, but I wanted to put in custom functionality, such as the ability to change the passwords on a few dozen cameras with one swoop, the ability to view 4 or 8 cameras in one screen, etc. I created a 3D map of t

My first questions is, are you planning on replacing the entire system used, not only client/server but also camaras? My guess is that the camaras connect to a hub of sorts that then simply transfer the softare to a server, the server runs a web server with specific software that lets you view the incomming video/audio from the different locations.

If this was your situation then the camaras wouldnt need any type of computers or firewalls. If this isnt the solution you are using then your entire install

And get a decent f/w system and rules in place in front of the central server and at each location (internet connection) to which you have IP cameras installed.

Deny all traffic to the server except for the IP addresses and ports of the remote cameras.

We have been using a Pelco system in this manner with remote cameras on 2 continents for 3 years without incident of virus or trojan or crash.

The thing you should be worried about with Pelco cameras is the bandwidth usage at night with minimal lighting combined with lower bandwidth video settings. The compression method used can leave artifacts and this compression appears to be done before the "movement comparison" stage where the camera decides to send a new frame. At night with low light levels this causes black level banding and other dotting artifacts to appear. The movement comparison routines see this as... you guessed it MOVEMENT. This result in higher bandwidth usage at night. Our solution? Turn on the lights.

I'm sure it's the application -- but at the same time, this would be a mute issues on a linux/mac setup.

I think you meen moot.

For the application that you describe viruses should not be a threat on any platform. There should be no users on the box and if there are users they should not run using admin privs unless they are doing admin. Break those rules and you are in trouble regardless.

Your problem is going to come from worms. There are plenty of worms that attack UNIX boxes.

1. While I hate Windows, I've assembled DVR systems (1.5 tb of raid storage, 16 channels video+audio @ 25fps, viewable/searchable over the internet) that don't have problems with anti-virus software. (now you can go up to 64 av channels per unit on the same system, btw).

2. I tested a few linux-based systems - they're "not there yet." Maybe in a couple more years.

However, keep in mind that these solutions require custom hardware, so you can't just "upgrade" the software on your current systems. Also, it works with conventional CCTV security cameras (regular, pan-tilt-zoom, and infrared), not the crappy IP Net-Cams from Axis and others.

1) Patch the OS religiously.2) Remove/shutdown everything that is not being used. As others have noted, worms and viruses attack applications, not ports. If there's nothing listening on a port, you're pretty safe... assuming the attack isn't against the stack itself, but those types of worms aren't very common.3) 80 through 9999 is a shitload of ports. I'd suspect that not all are being used by the DVR app, as there are ports between 80 and 9999 that are used for other services. Here's a list:http://www.che [chebucto.ns.ca]

We are a wealthy real estate company getting hit with a lot of viruses. Could you please post a phony news story about our plight, that way your zombie hoard of misanthropic programmers will code a free solution for us; for free! Ooops, gotta go, just sold another $8,000,000.00 house in La Jolla and we have to pick up our 8% commission.
Thanks,
Your Friends in the real estate business.

Why not, look at all the free stuff they've already coded up for them?